Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.

Share this post

Link to post

Share on other sites

hi peaches. im going to be looking at the xex as i have been slowly understanding parts of them. i plan to get a check removed xex made in abit. however ive been waiting on amd to get me the re-compressor so i can test it as i do it. although it should be fairly simple. locate xexcryptsha and break the function.

EDIT:

ok, upon quickly looking at the xex i found a few functions that call xecryptsha which we will likely need to break. however i see some problems that may arise with some cause they also call NTCreateFile and so forth. so maybe its putting checks on other things but ill figure it out.

Here are the offsets for what we will need to change. Im not sure exactly which ones will be needed.

What you do is go to the offset, find the float value that is located there and remove the decimal. this is the easiest way to break functions.

0x831190DC - calls NTCreateFile

0x8311B644 - alone, maybe just a check

0x8311C83C - alone

0x8311D6E4 - called lower in the function

0x8311EA1C - as well, called lower in the function

0x8311F81C - same as two above

personally i feel that the 2nd and 3rd offset would be likely to be plain checks in the xex. for when maps are loading. so those are my best guess to break the encryption.

as well peaches, i believe i have both of your msn's added so i could probably try to help you a little on there with ida

Share this post

Link to post

Share on other sites

@Peaches, i'm sure that's a simple flag in the xex. I'm by no means great with IDA, but ill start disassembling the xex and see if I can achieve anything. I saw the "Matchmaking" option, and now I want to see what's inside it.

Share this post

Link to post

Share on other sites

well, i went into ida and looked abit at the offsets that peaches put down. those are just strings. but the full functions for the debug menu can be found. ill link their offsets and then ill fine a compaire that enables them for us.

Share this post

Link to post

Share on other sites

well, i went into ida and looked abit at the offsets that peaches put down. those are just strings. but the full functions for the debug menu can be found. ill link their offsets and then ill fine a compaire that enables them for us.

lol. I'm still learning. I made about 10 different XEXs changing random things. About to go test em.

EDIT: Tell me if I'm interpreting this right.

The loc up top is just a way to access this block of code. Much like I can use goto 1; and place 1: somewhere in my code?

Share this post

Link to post

Share on other sites

peaches, why are you modding xex's all the time. depeding what your doing you can poke the xex to see the results faster. I simply use my advanced poker in ascension. as well it lets you save tags so you can share them with others.

Share this post

Link to post

Share on other sites

Now a question. When I look for offsets in my decompressed unencrypted XEX. There always like 0x3FE4 away from the actual data location. When using this poker do I use the location from IDA?

EDIT: cannot get the xex poker to load.

************** Exception Text **************System.IO.FileNotFoundException: Could not load file or assembly 'Newtonsoft.Json, Version=3.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The system cannot find the file specified.File name: 'Newtonsoft.Json, Version=3.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'

Neighborhood sees my console fine, if that could be a problem.

I somehow lost that DLL. I redownload. All good.

EDIT3: These thing is sexy. I click poke. Boom enabled. Then fatal crash

stwu = Store word with update. This is a bit complicated to explain. stwu takes the form stwu reg1, off(reg2) where reg1 contains the value to be stored, reg2 contains a memory address, and off is the offset from that memory address to store to. It will first store the value in reg1 to the offset reg2 + off, and then store that offset back into reg2. So what that line is effectively doing is saving the stack pointer and allocating 0x60 bytes on the stack by setting sp to sp - 0x60 (the stack grows downward in memory, so that's why the 0x60 is negative).

lwz = Load word and zero, loads a 4-byte value into a register and sets the upper 32-bits of the register to 0 (registers are 64-bit, so this ensures that they're set properly when loading something smaller).

mtspr = Move To Special Purpose Register, copies a value into a special purpose register (opposite of mfspr).

ld = Load double word, loads a 64-bit value from memory.

blr = Branch to Link Register, jumps to the location stored in the Link Register. AKA return from function.